CVE-2020-12003

Vulnerability

An exposed API call in FactoryTalk Linx versions 6.00, 6.10, and 6.11, as well as in products that utilize this software (Connected Components Workbench version 12 and prior, ControlFLASH version 14 and later, ControlFLASH Plus version 1 and later, FactoryTalk Asset Centre version 9 and later, FactoryTalk Linx CommDTM version 1 and later, Studio 5000 Launcher version 31 and later, and Studio 5000 Logix Designer software version 32 and prior), allows users to provide files to be processed without sanitation. This vulnerability, identified as CVE-2020-12003, is classified as an Improper Input Validation (CWE-20) issue that can be exploited remotely with low skill level [1].

Exploitation

An attacker with network access and low privileges (required authentication) can send specially crafted requests that traverse the file system. The attacker does not require user interaction. By manipulating file paths in API calls, the attacker can read arbitrary files from the local hard drive of the affected system [1].

Impact

Successful exploitation allows the attacker to read sensitive information from the local file system, leading to information disclosure. The CVSS v3 base score is 9.6, with a vector string of AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, indicating high impact on confidentiality, though availability is not affected [1].

Mitigation

Rockwell Automation has released updates to address this vulnerability: FactoryTalk Linx version 6.11.0 and later, and for other affected products, users should update to the latest versions as recommended by the vendor. The advisory (ICSA-20-163-02) from CISA provides details on mitigations and workarounds, including restricting network access to the software [1].